Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: [suse-security] dns-Spoofing and ssh?
  • From: Andreas Gaupmann <andreas.gaupmann@xxxxxxx>
  • Date: Thu, 30 Mar 2006 11:43:51 +0200
  • Message-id: <200603301143.52022.andreas.gaupmann@xxxxxxx>
Hallo Frank,

On Thursday 30 March 2006 10:28, Moskito wrote:
> the manpage of ssh_config describes the option CheckHostIP which is
> enabled by default.
> The description tells, that this option can protect from dns-spoofing
> attacks.
>
> I just wondered how a dns-spoofing attack to ssh could work in general?
> if i ssh to a machine:
> ssh host1
> the ssh client will resolve the ip of host (could be dns, depends on
> resolv.conf), connects to the host and checks the hostkey of host1
> against /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts.
> If someone manages to give me a wrong ip for host1 and i connect to this
> fakehost ssh should complain about the wrong hostkey...
> Why do i need some kind of extra dns-spoofing protection?
>
Because the next two statements are not equivalent:
- The well-known IP address for a domain name has changed
- The SSH server identification has changed

Nevertheless, in most DNS spoofing attacks both cases will occur, as you have
mentioned.

Cheers,
Andreas

< Previous Next >
References